Product Reviews

Delegate NT Administration

Trusted Enterprise Manager lets systems administrators sleep at night.

• By Mike Gunderloy
• 01/01/2000

If you’re responsible for managing a large network with a Windows NT backbone, sooner or later you run up against a simple problem: By default, nearly every bit of user management has to be done by members of the Domain Admins group. Unfortunately, this group has awesome powers to mess up things if its members aren’t careful. This leaves you with two unattractive choices:

• Put a lot of users in the Domain Admins group and hope no one causes a disaster.

• Keep the Domain Admins group small, and require a few administrators to take care of every lost password and group membership request.

Trusted Enterprise Manager (TEM) offers a third option. This client/server software allows you to define groups of trusted users who can perform a limited subset of the domain’s administrative functions. For example, the people who answer the phone at your corporate help desk could be empowered to reset passwords and change group membership—but nothing else!

TEM consists of a server and client application. The server application runs on one or more of your domain controllers and logs on, using a privileged account. The client application communicates with the server application, not with the underlying Windows NT structure directly. This enables the server to do its own security checking and decide whether a particular operation should be allowed. Indeed, because the clients get their information from the server, the assigned administrators don’t even see accounts or operations that they can’t work with. A nice touch is the Quick Password Reset dialog. TEM makes password resets super easy to do, which solves a large number of help desk calls.

Quick Password Reset is just one of many functions you can delegate in Trusted Enterprise Manager.

TEM lets you delegate many functions in addition to password management:

• Changing account information

• Deleting users

• Enabling RAS access

• Forcing a password change

• Modifying logon hours

• Modifying user profiles

• Changing group membership

For large domain structures, TEM offers distributed and cached security information. This adds fault tolerance to your network’s user management, and things like the refresh rate for cached information can be adjusted for the best balance of performance and concurrency. TEM also integrates with Microsoft Exchange, so you can delegate the creation and modification of Exchange mailboxes, as well as other user administration tasks.

All in all, Trusted Enterprise Manager is a polished solution that will come in handy in many large enterprises. It appears that MDD takes security very seriously. Despite having been out for three versions now, there have been no reports of security holes in TEM at any of the major security sites I monitor—which is more than you can say for Windows NT.